Checkpoint Updated 156-590 Exam Questions and Answers by maximillian

The correct answer is A. Block List files - Configure disallowed files . Custom Policy Tools are used to manage Threat Prevention objects and enforcement helpers under the Threat Prevention policy view. A Block List file is used to define files that should be treated as disallowed, blocked, or explicitly malicious/undesired according to the policy objective. This is the opposite of the Allow List, which Check Point documents as a list of trusted files that the Threat Prevention engine does not inspect for malware, viruses, and bots, helping reduce gateway resource utilization. The official guide shows Allow List Files under Threat Prevention > Custom Policy Tools > Allow List Files .

Option A is therefore the correct true statement because it accurately describes the role of block-list file handling. Option B sounds plausible but is not the tested correct statement in this question’s answer key; the course item is specifically validating the Block List definition. Option C is incorrect because indicators are not “benign activity”; indicators usually represent observables such as IPs, domains, URLs, or hashes used for threat intelligence or enforcement. Option D is incorrect because profiles are not only available for Autonomous Threat Prevention; Custom Threat Prevention also uses profiles such as Basic, Optimized, and Strict. Reference topics: Custom Policy Tools, Block List Files, Allow List Files, Indicators, Threat Prevention Profiles.

The correct answer is B. 1. Integrated/Standalone and 2. Dedicated Server . SmartEvent is Check Point’s event analysis, correlation, and reporting platform. Official Check Point Logging and Monitoring documentation explains that SmartEvent Server is integrated with the Security Management Server architecture and can communicate with Log Servers to read and analyze logs. It further states that administrators can enable SmartEvent on the Security Management Server or deploy it as a dedicated server . In Multi-Domain environments, Check Point requires SmartEvent on a dedicated server.

This maps directly to the course terminology: integrated or standalone deployment means SmartEvent runs on the existing management architecture, while a dedicated server deployment separates SmartEvent components onto another machine for scale, retention, performance, or Multi-Domain requirements. Option A uses generic distributed language but not the tested Check Point deployment wording. Option C confuses SmartEvent deployment with Threat Prevention enforcement states such as Prevent and Detect. Option D refers to clustering concepts and does not describe SmartEvent deployment models. In production design, dedicated SmartEvent is preferred when log volume is high, reporting is heavily used, or event correlation must not compete with management operations. Reference topics: Deploying SmartEvent, SmartEvent Server, Correlation Unit, Integrated/Standalone deployment, Dedicated SmartEvent Server.

The correct answer is D. Log . In Check Point Threat Prevention, tracking determines what evidence is generated when a rule or protection matches traffic. The official Logging and Monitoring guide states that Log is the default option in the Threat Prevention policy , and that it shows the information the Security Gateway used to match the connection, including at minimum source, destination, source port, and destination port. It also explains that richer session details can appear when the rule includes application or data-type matching.

For IPS protections, this default is operationally important because IPS enforcement without logs would make post-event investigation, false-positive analysis, tuning, and compliance validation much harder. None is specifically documented as the default in Access Control policy, not Threat Prevention. Alert is a stronger notification mechanism but is not the default tracking behavior. UserCheck is an end-user interaction mechanism used in selected blades and scenarios, not the default IPS protection tracking value. The default Log setting gives administrators visibility into IPS matches while avoiding the operational noise of alerting on every event. Reference topics: Threat Prevention Track options, IPS logging, Logs & Monitor, protection match evidence, default Threat Prevention tracking.

The correct answer is A. Infected host identification . Malware DNS Trap is designed to help identify compromised clients by redirecting malicious DNS resolution to a controlled false IP address and then observing which internal hosts attempt to connect to that trap address. Check Point’s R81.20 Threat Prevention guide states that Malware DNS Trap can be used to detect compromised clients by checking logs with connection attempts to the false IP address. It also notes that internal DNS servers can be added to better identify the origin of malicious DNS requests.

This makes the primary operational benefit host attribution. While DNS security can block or prevent malicious DNS-related activity, DNS Trap’s distinctive value is showing which internal endpoint is likely infected or attempting malicious communication. Option B is more aligned with URL Filtering or URL reputation, not DNS Trap. Option C describes a blocking outcome, but it misses the key trap mechanism and attribution purpose. Option D is incorrect because the usual DNS Trap use case concerns internal clients generating suspicious outbound DNS or follow-up connections, not inbound malicious DNS queries. Reference topics: Malware DNS Trap, Anti-Bot & Advanced DNS, false IP address, compromised-client detection, infected-host investigation.